The IT security industry has failed its customers. Despite a proliferation of investment, a recent VMware and Forbes Insights study found that only a quarter of business leaders across Europe, Middle East and Africa are confident in their current cybersecurity, and less than a fifth (18 per cent) are confident in the readiness of their people and talent to address security concerns.
We now live in a world of greater complexity, with more interactions, connected devices, sensors, dispersed workers and the cloud, all of which have created an exponentially larger attack surface. This raises questions of enterprises’ abilities to protect themselves in this more sophisticated digital age.
So, what’s the answer? For many, it is to spend more – 83 per cent of respondents to the VMware/Forbes Insights survey are increasing the purchase or installation of new security products in the next three years.
While the willingness to invest is commendable, is a lack of investment up to this point why people are less confident in their ability to counter cyberthreats? Hardly – IDC forecasts worldwide spending on security-related hardware, software, and services will reach $103.1 billion in 2019, an increase of 9.4 per cent over 2018.
On the one hand we have security spending going up. On the other we have more security incidents having greater consequences. According to the EU, the economic impact of cybercrime rose five fold from 2013 to 2017.
It’s clear, therefore, that simply spending money on the same security won’t fix the problem. Don’t get me wrong, investment is need. But it is about the right type of investment and a rethink in the way we approach securing our data, applications, networks and ultimately our organisations.
Three steps to fix cybersecurity
More specifically, three things need to happen. We need to stop focusing as much on reactive threat detection, increase the focus on applications and make security intrinsic.
Why do we need to stop focusing as much on threat detection? Historically, that’s where security spend has been. VMware’s own analysis suggests 80 per cent of enterprise IT’s investment in security goes on reactive measures, and it’s also where 72 per cent of VC funding in security start-ups goes. More than half (54 per cent) of respondents to the VMware/Forbes Insights study say they plan to spend more on detecting and identifying attacks.
Yet if you’re constantly chasing the next threat that means you’re already behind. Cyberthreats are evolving rapidly – by honing in on detecting threats, at best you can defend yourself against copycats. You’ll still be exposed to those attackers that do something different.
That’s before you consider that it’s a case of ‘when, not if’, your defences are breached: a ransomware attack happens every 14 seconds . So, to only invest in threat detection means less resource for other areas of security.
Don’t get me wrong, reactive threat detection is still critical. But there needs to be a shift away from trying to prevent breaches at all costs. With the inevitably of breaches a reality, what matters is how quickly we can detect them and take effective mitigating action. There needs to be more focus on proactive, preventative measures – in essence, those that reduce the attack surface area.
In short, definitely invest in detection, but invest more in prevention.
Secondly, the real focus should be on applications. You’d be hard pressed to find a security product that doesn’t claim to be ‘application aware’, but what does that actually mean?
Knowing more about the known good of application behaviour becomes critical. With this in mind you can better on understanding the 50 things that should be happening rather than trying to protect against the 50,000 that shouldn’t be. Think about it this way. When you get out of bed in the morning, you know you are supposed to feel. If you feel unwell, you don’t individually in your head go through the thousands of different viruses that could be the cause. You can single out the thing, the sore throat or painful eye that hurts. Because you know your body and what your known good feels like. The same approach can be taken to security. That means security is really about understanding how applications actually work, so that they can operate effectively, rather than being restricted due to risk aversion.
All of this is just not possible without truly intrinsic security. Again, this is the sort of phrase that gets touted about, but how often does it truly happen? Currently, enterprises use anywhere between 50 to 100 different security products. That’s 50 to 100 solutions that need to be managed, updated, patched, aligned and connected to relevant apps, which in turn need constant management and updates. It’s intricate, cross-connected and overly complex.
What if, instead of bolting on more products, we took a step back and looked at how we use what we already have in our operations to secure the organisation? Software.
It’s not another product you buy, install or operate, or an agent you have to install and manage. It’s foundational software that you are already using, common across apps and data, wherever they reside: private data centres, clouds, edge, containers, desktops, and mobile devices. We see applications, we know what they are, where they are, what they are doing, and what they are supposed to be doing.
How do you make things intrinsically secure? By protecting the network, the common element that touches everything. It used to be that IT and network security were separate – now they’re converging rapidly. Deploying virtual cloud networks gives enterprises a universal fabric – secure that and everything it touches is secure. It’s more efficient, easier to manage. It’s also automated, freeing up your people to focus on more valued-adding innovation tasks.
A multi-layered approach
What these three focuses do is introduce a multi-layered approach to security – one that puts proactive prevention alongside threat detection, that puts the lens on the good rather than exhaustive time and money on assuming the worst, and that uses the benefits of cloud infrastructure to protect the organisation.
This future of security makes every individual element of the infrastructure inherently secure: if one layer or element gets breached, then the next element is secure, and the next, limiting the damage that can be done. It recognises that breaches are a case of when, not if, and acts accordingly. In doing so, we can all improve confidence in our security policies and procedures, cut down on unnecessary spending, and reduce the damage successful attacks can cause. And, importantly, this built in security means a business can take their business in any direction, innovate and add new IoT, AI and ML technologies, knowing that the heart of the business is secure.
Joe Baguley, VP and CTO, EMEA, VMware